I'm looking for an easy way to follow a packet through the iptables rules. This is not so much about logging, because I don't want to log all traffic (and I only want to have LOG targets for very few rules).

Something like Wireshark for Iptables. Or maybe even something similar to a debugger for a programming language.

Thanks
Chris

Note: It doesn't have to be a fancy GUI tool. But it must do more than just showing a package counter or so.

Update: It almost looks as if we can't find anything that provides the functionality that is asked for. In that case: Let's at least find a good technique that's based on iptables logging - which can be easily turned on and off, and doesn't require to write iptables rules redundantly (having to write the same rule for -j LOG and -j ...)

Thanks for the idea. Unfortunately, I can't log every rule (On one system, the disk probably wouldn't be fast enough to do that. On another, iptables logging isn't available in the kernel.)
–
Chris LercherMar 16 '10 at 13:13

One related question about logging: Does iptables handle multiple packets concurrently (so that log entries could be interleaved)? In that case, I think the TOS idea would be an absolute must for a lot of iptables LOG analyses!
–
Chris LercherMar 16 '10 at 19:18

I don't know the answer to that. I expect that each interface would be handled concurrently by iptables at a minimum though.
–
HaakonMar 16 '10 at 23:57

If you have a recent enough kernel and version of iptables you can use the TRACE target (Seems to be builtin on at least Debian 5.0). You should set the conditions of your trace to be as specific as possible and disable any TRACE rules when you are not debugging because it does spew a lot of information to the logs.

TRACE
This target marks packes so that
the kernel will log every rule which
match the packets as those traverse
the tables, chains, rules. (The
ipt_LOG or ip6t_LOG module is required
for the logging.) The packets are
logged with the string prefix: "TRACE:
tablename:chainname:type:rulenum "
where type can be "rule" for plain
rule, "return" for implicit rule at
the end of a user defined chain and
"policy" for the policy of the built
in chains. It can only be used in the
raw table.

Thanks, this is awesome! It's actually the best answer, I wish I could accept it (it was a bounty question, so the accepted answer is definite). While I can't use it on all of my systems (due to kernel limitations), on some systems I can. This answer deserves upvoting, because it's really close to what I was looking for.
–
Chris LercherMar 25 '10 at 14:43

I found this feature last night when I was re-reading the iptables man page so I could answer a different question. Seems to be a relatively new feature. No worries about not being able to mark it as accepted. Maybe this will get voted up enough over time to earn me another Populist badge.
–
ZoredacheMar 25 '10 at 18:43

Thanks. Point 1) and 3) don't have much to do with following packets through the iptables rules, but the point about redirecting log entries based on "--log-level" may be helpful, if I finally really have to fall back to logging (in case there's absolutely no other solution).
–
Chris LercherMar 16 '10 at 19:12

I can see what the author wants, though; if you are trying to test your iptables rules on a busy interface merely watching counters is not going to help a whole lot particularly if the packet is likely to match on several rules and jump around user-defined chains in the process (as is typical when filtering out unwanted IP addresses, and flood protection rules).
–
PP.Mar 15 '10 at 13:01

@PP: Exactly, you're reading my mind. @Vi: Thanks, this can be helpful in some circumstances, and I've used that sometimes. Now I need something more powerful.
–
Chris LercherMar 15 '10 at 13:33